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(1) Real Party in Interest 

IBM Corporation 

(2) Related Appeals and Interferences 

None 

(3) Status of Claims 

The statement of the status of the claims contained in the brief is correct. 

(4) Status of Amendments After Final 
No After Final Amendments were filed. 

(5) Summary of Invention 

The summary of invention contained in the brief is correct. 

(6) Issues 

The appellant's statement of issues in the brief is correct 

(7) Claims Appealed 

The copy of the appealed claims contained in the Appendix to the brief is correct. 

(8) Prior Art of Record 

5,958,053 Denker 28 September 1999 

TCP/IP Illustrated Volume 1 The Protocols by W. Richard Stevens 1994, page 231 

(9) Grounds of Rejection 

The following grounds of rejection are applicable to the appealed claims: 
Claims 1-5 and 7-14 are rejected under 35 U.S.C. 102(e). This rejection is set forth in a 
prior Office Action, mailed on 13 January. 2005. 
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Regarding claim 1, the previously stated rejection is based upon U.S. Patent No. 
5,958,053 to Denker (hereinafter '053). 

As per the first limitation of claim 1, "A method for defeating, in a server unit of an 
Internet Protocol network, a SYN flooding attack 55 is taught in £ 053 col. 4, lines 48-52 "The 
protocols of the present invention provide excellent protection against SYN Flooding because 
minimal resources are allocated in response to a SYN message, while permitting the server to 
implement all client requested options". 

As per the second limitation, "said server unit running Transport Control Protocol to 
allow the establishment of one or more transmission control protocol connections with one 
or more client units' 5 is shown in £ 053 col. 6, lines 19-64 "Network Environment ... Network 
environment 100 includes multiple devices including client 105 and server 110 ... Each of Client 
1 05 and server 1 10 includes an implementation of TCP and IP . . . The present invention is 
applicable to a wide variety of computers and other devices". 

As per the third limitation, "said method comprising the steps of: upon having 
activated the transmission control protocol in said server unit: listening for the receipt of a 
SYN message sent from a client unit 55 and "resuming to said listening step 55 is disclosed in 
'053 col. 6, lines 59-60 "The term "server" means a device which listens for and accepts TCP 
connection request". 

As per the fourth limitation, "upon receiving said SYN message: computing an Initial 
Sequence number Receiver side 55 is taught in £ 053 col. 7, lines 5-46 "Server 1 10 then receives 
the SYN message of step 1 from client 105, state 20C. After receiving the SYN message of step 
1020C, server 1 10 performs only the minimal communication and computation, and allocates no 
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memory resources for the incipient connection. Server 1 10 sends a SYNACK message (in step 
2030C) to client 105, with the sequence number set to 300 (in the example), the 
acknowledgement number set to 101 to acknowledge the SYN message to step 1020C". The 
computed initial sequence number Receiver side is 10 I. see FIG. 4. 2030C. 

As per the fifth limitation, "wherein said Initial Sequence number Receiver side is 
embedded with connection parameters specified in the SYN message" is shown in '053 col. 
7, lines 46-58 "The SYNACK message (in step 2030C) also includes an encoded value 
(represented in FIG. 4 as $c) ". The connection parameters speci fied in the SYN message are Sc 
which can include additional parameters such as "connection parameters" for example client's 
port, the server 's IP address, the server 's port, see FIG. 4 203 PC. 

As per the sixth limitation, "responding to said client unit with a SYN-ACK message 
including said computed said Initial Sequence number Receiver side" is disclosed in £ 053 
col. 7, lines 32-46 "Server 110 then receives the SYN message of step 1 from client 105, state 
20C. After receiving the SYN message of step 1020C, server 1 10 performs only the minimal 
communication and computation, and allocates no memory resources for the incipient 
connection. Server 1 1 0 sends a SYNACK message (in step 2030C) to client 105, with the 
sequence number set to 300 (in the example), the acknowledgement number set to 101 to 
acknowledge the SYN message to step 1020C". 

As per the seventh limitation, "responsive to receiving an ACK message, determining 
whether to establish a transmission control block for the client unit by evaluating an 
incremented value of the Initial Sequence number Receiver side included in the ACK 
message 5 ' is shown in '053 col. 8, lines 14 through col 9, line 1 "At state 30C, client 105 



Application/Control Number: 09/755,564 Page 6 

Art Unit: 2134 

receives the SYNACK message of step 2030C and the connection is established on client 105's 
end ... In step 3040C, client 105 then sends an ACK message to server 110 with a sequence 
number set to 101, an acknowledgement number set to 301 to acknowledge the SYNACK 
message of step 2030C, and with the ACK flag set . . . After server 110 receives the ACK 
message of step 3040C, server 110 analyzes the encoded value passed in the ACK message of 
step 3040C to determine if it passes an appropriate mathematical (i.e., cryptologic) test. As one 
example of the appropriate mathematical test, server 1 10 recalculates the output of the 
mathematical function used previously by server 1 10 (to calculate the encoded value $c) using 
the parameters passed in the message of step 3040C". Note the Initial Sequence number 
Receiver side of 101 is included in the ACK message see FIG. 4 t 304 PC. as per TCP. 

The TCP handshake is well known in the art for connection establishment, the reference 
'053 shows incrementing the sequence number in SYN messaged passed (from 100 to 101 / from 
300 to 301) in the example provided. Incrementing the sequence number by one in order to 
acknowledge the TCP connection in relation to c 053 FIG. 4, is a basic operation of TCP; see 
TCP/IP Illustrated Volume 1 The Protocols by W. Richard Stevens page 231 (copyrighted in 
1994). 

Claims 2, 11, 12, and 14 stand or fall with claim 1. Claims 1 1 and 14 are independent 
claims containing limitation similar to those present in claim 1. 

Regarding claim 3, "wherein said computing step further comprises the steps of: 
updating, in said server unit, a pseudo-random number (PRN) generator holding a current 
key; remembering a former key; and using said current key as said randomly generated 
key for said computed Initial Sequence number Receiver side" is shown in '053 col. 5, lines 
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1 6-25 "If the client's address is not on the server's Friends Table, the server calculates an 
encoded value. The encoded value is calculated as the mathematical function of at least the 
client's address and a secret (i.e. random number) known only to the server. The server sends 
and ACK message to the client including the calculated encoded value as the acknowledgment 
number". 

Claims 10 and 13 stand or fall with claim 3. 

Regarding claim 4, "wherein the step of concatenating said server signature and said 
category index further includes the step of picking up a category index within said set of 
predefined connection categories on the basis of the content of said received SYN message" 

is disclosed in 053 col. 7, lines 47-67 "The SYNACK message of step 2030C also includes an 
encoded value (represented in FIG. 4 as $c). For security reasons, the encoded value $c can be 
calculated by server 1 10 as a cryptologic function (or mathematical function) that depends upon 
at least the EP address of client 105 and a secret only known to server 1 10. The encoded value $c 
can be a crytologic function which depends upon one or more additional parameters (in addition 
to the secret and the IP address of client 105), including: the client's port, the server's IP address, 
the server's port, and the clients' sequence number, and other things. For example the encoded 
value $c an be calculated by server as follows $c=MD5 has(client's IP address, client's port, 
server's IP address, server's port, random secret) + client's initial sequence number ". 

Regarding claim 5, "wherein said updating step includes the step of: updating said 
PRN generator at a rate not higher than an Maximum Segment Lifetime defined in said 
transmission control protocol connections" is taught in £ 053 col. 8, lines 60 through col. 9, 
line 25 "After server 1 10 receives the ACK message of step 3040C ... As one example of the 
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appropriate mathematical test, server 1 10 recalculates the output of the mathematical function 
used previously by server 1 10 (to calculate the encoded value $c) using the parameters passed in 
the message of step 3040C. In an embodiment where the encoded value $c is calculated as a 
mathematical function of the client's IP address and the secret known only to server 110, server 
] 1 0 recalculates the encoded value using the client IP address provided in the message of step 
3040C and the secret. In the embodiment where the encoded value $c of step 203 0C was 
calculated as a cryptologic function of equation 1, the new calculated value can be calculated by 
server 110 as: 

New calculated value MD5 hash (client's EP address msg 3, client's portmsgso^c, 
server's EP address mS g304oc server's portmsgscMoc, random secret)+ 
(client's sequence number msg 3040c-i). (Eq, 2). 

Equation 2 states that the new calculated value can be calculated as the MD5 hash function of the 

random secret and the following parameters contained in the message of step 3040C: (the client's 

IP address, the client's port, the server's IP address, the server's port), plus the (sequence number 

in the message of step 3040C)-1". 

Regarding claim 7, as per the first limitation of claim 7, "A method for defeating, in a 
server unit of an IP network, a SYN flooding attack" is taught in '053 col. 4, lines 48-52 "The 
protocols of the present invention provide excellent protection against SYN Flooding because 
minimal resources are allocated in response to a SYN message, while permitting the server to 
implement all client requested options". 
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As per the second limitation, "said method comprising the steps of listening for an 
ACK message sent from a client unit" and "resuming to said listening step" is shown in 
'053 col. 6, lines 59-60 "The term "server" means a device which listens for and accepts TCP 
connection request". 

As per the third limitation, "upon receiving said ACK message, evaluating a value of 
an Initial Sequence number Receiver side included that includes content comprising 
embedded connection parameters specified in a previously received SYN message as an 
authentic computed Initial Sequence number Receiver side" is disclosed in '053 col. 8, lines 
14 through col. 9 5 line 1 "At state 30C, client 105 receives the SYNACK message of step 2030C 
and the connection is established on client 1 OS's end ... In step 3040C, client 105 then sends an 
ACK message to server 1 10 with a sequence number set to 101, an acknowledgement number set 
to 301 to acknowledge the SYNACK message of step 2030C, and with the ACK flag set . . . After 
server 110 receives the ACK message of step 3040C, server 110 analyzes the encoded value 
passed in the ACK message of step 3040C to determine if it passes an appropriate mathematical 
(i.e., cryptologic) test. As one example of the appropriate mathematical test, server 110 
recalculates the output of the mathematical function used previously by server 1 10 (to calculate 
the encoded value $c) using the parameters passed in the message of step 3040C". Note the 
Initial Sequence number Receiver side of 101 is included in the ACK message see FIG. 4. 3040C 
as per TCP. The connection parameters specified in the SYN message are $c which can include 
additional parameters such as "connection parameters" for example client f s port the server 's 
IP address, the server *s port, see FIG. 4 2030C 
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As to the fourth limitation, "and responsive to evaluating the value of the Initial 
Sequence Number Receiver side as an authentic computed Initial Sequence number 
Receiver side, allocating resources for a transmission control protocol connection 
according to said content; and 55 is taught in '053-col. 9, lines 20-33 "Server 1 10 then compares 
the new calculated encoded value to the encoded value $c received by server 1 10 in the message 
of step 3040C. If these two values match, then the message of step 3 passes the cryptologic test 
and client 105 is properly complying ... Server 1 10 then allocates a full Transmission Control 
Block in memory for storing all required information regarding the connection with client 105 
(including the client requested options), and the TCP connection is now fully established, step 
40C". 

The TCP handshake is well known in the art for connection establishment, the reference 
£ 053 shows incrementing the sequence number in SYN messaged passed (from 100 to 101 / from 
300 to 301) in the example provided. Incrementing the sequence number by one in order to 
acknowledge the TCP connection in relation to '053 FIG. 4, is a basic operation of TCP; see 
TCP/IP Illustrated Volume 1 The Protocols by W. Richard Stevens page 231 (copyrighted in 

1994): 

Claims 8 and 9 stand or fall with claim 7. 
(10) Response to Arguments 

Regarding Appellant's argument 1, "that Denker does not anticipate claim 1 because 
Denker does not show or suggest the claimed step of: responsive to receiving and ACK message, 
determining whether to establish a transmission block from the client unit by evaluating an 
incremented value of the Initial Sequence number Receiver side included in the ACK message". 
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The grounds of rejection stated above show that the invention disclosed by Denker 
receiving and evaluating an ACK message received with an increment value of the Initial 
Sequence number Receiver side. It is noted that the incremented Initial Sequence number is a 
known element of the standard TCP protocol. 

Regarding Appellant's second argument, "Denker does not anticipate claim 3 because 
Denker does not show the steps of updating a PRN, holding a current key, remembering a current 
key, and using a current key as claimed". ' 

The grounds of rejection stated above shown that the invention disclosed by Denker 
updates or recalculates the key. The random number is generated at the server and used in 
calculation of the encoded value which is used in the messages exchanged when establishing the 
connection. 

Regarding Appellant's third argument, u Denker does not anticipate claim 4 because 
Denker does not disclose picking a category index within said set of connection categories on the 
basis of content said SYN message, as claimed". 

The grounds of rejection stated above shown that the invention disclosed by Denker uses 
an encoded value $c which includes various parameters including connection parameters (i.e. 
server port number, client port number, IP address). 

Regarding Appellant's fourth argument, "Denker does not anticipate claim 5 because 
Denker shows none of the limitation of claim 5 ... the cited passage manifestily does not show or 
suggest updating a PRN generator at a maximum rate as claimed". 

The grounds of rejected stated above show the secret (which can be or include a random 
number) is recalculated. The rate at which the secret is updated is in accordance with the 
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transmission protocol as claimed, not at a maximum rate as argued. Claim 5 states: "at a rate not 
higher than a Maximum Segment Lifetime defined in said transmission control protocol 
connections". 

Regarding Appellant's fifth argument, "Denker does not anticipate claim 7 because 
Denker does not show the step of: responsive to evaluating the value of the Initial Sequence 
Number Receiver side". 

The ground of rejection stated above show the evaluation of the ISN receiver side. The 
ISN receiver side in the example provided as well as in FIG. 4 is 101, the evaluation of the 
message containing 101 is shown in the rejection above. 

For the above reasons, it is believed that the rejections should be sustained. 



Respectfully submitted, 



Ellen Tran 
Patent Examiner 
Technology Center 2134 
i August 2005 



GREGORY MORSE 
SUPERVISORY PATENT EXAMINER 
TECHNOLOGY CENTER 2100 
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